there are three basic ways this can work
1) post-filter with authzed CheckPermission: Do your database sort and filtering and then send each candidate result through to authzed for permissions checking. This works best when it's likely (but not guaranteed) that a user has access to any given resource. Example: most youtube videos are public
2) pre-filter with authzed LookupResources: Load all of the resources that the user has access to and then send those IDs in to your database as a where clause for further filtering/sorting. This works best if the user is unlikely to be able to view any given resource and most resources will be included in the result set. Example: most google docs are private.
3) (in-work) export an index from Authzed: Perform a special lookup which returns a compressed database-native index which includes the resources the user can see and which can natively be used by the database to filter internally. This is similar to the where clause approach but works with very large number of authorized resources. https://github.com/authzed/spicedb/issues/207